在使用大多数 API 时，为什么它们需要两种类型的身份验证，即密钥和秘密? [英] When working with most APIs, why do they require two types of authentication, namely a key and a secret?

问题描述

我一直在使用 API，我一直想知道为什么必须使用密钥和秘密?

I have been working with APIs and I've always wondered why you have to use a key and a secret?

为什么需要两种类型的身份验证?

Why do you need two types of authentication?

推荐答案

当服务器收到 API 调用时，它需要知道两件事:谁在发出调用，以及调用是否合法.

When a server receives an API call, it needs to know two things: Who is making the call, and whether or not the call is legitimate.

如果您只有一个项目(键")，并且每次调用时都包含它，它会回答这两个问题.服务器根据密钥"知道您是谁，并且因为只有您知道密钥，所以它证明呼叫实际上来自您.但是在每次通话中都包含密钥是一种糟糕的安全做法:如果有人甚至可以阅读您传输中的一条消息，那么您的密钥就会被盗用，并且有人可以冒充您.因此，除非您使用 HTTPS，否则这种方法是行不通的.

If you just had one item ("key"), and included it with every call, it would answer both questions. Based on the "key" the server knows who you are, and because only you know the key it proves that the call is actually coming from you. But including the key with every call is bad security practice: if someone can read even one of your messages in transit, your key is compromised, and someone can pretend to be you. So unless you're using HTTPS, this approach doesn't work.

相反，您可以在每次通话中包含一个数字签名，并用一些秘密"号码签名.(不发送秘密"号码本身).如果攻击者设法阅读您的消息，他们将无法从签名中找出这个秘密"数字.(这就是数字签名的工作方式:它们是单向的).

Instead, you can include a digital signature with every call, signed with some "secret" number. (The "secret" number itself is not sent). If an attacker manages to read your message, they won't be able to figure out this "secret" number from the signature. (This is how digital signatures work: they are one-way).

但这并不能解决识别问题:在后一种情况下，服务器如何知道谁在拨打电话?它可以尝试根据每个用户的秘密"来验证签名，但这当然会非常耗时.

But this doesn't solve the identification question: In the latter case, how does the server know who is making the call? It could try to verify the signature against the "secret" of every single user, but of course this would be very time-consuming.

所以，这就是我们要做的:发送密钥"(标识用户)和使用秘密"数字创建的签名(证明消息是合法的).服务器根据密钥查找用户，然后使用该用户的秘密"号码验证签名.

So, here's what we do: Send both a "key" (that identifies the user), and a signature created using the "secret" number (that proves that the message is legitimate). The server looks up the user based on the key, and then validates the signature using that user's "secret" number.

这有点像您写支票时:上面有一个帐号(以识别您的身份)和您的签名(以证明您是您).只有帐号并不能证明您确实写了支票.只有签名而没有帐号会迫使银行将您的支票与其所有账户的所有签名进行比较，这显然是低效的.

This is a bit like when you write a check: It has an account number on it (to identify you) and your signature (to prove that you're you). Having just the account number wouldn't prove that you actually wrote the check. Having just the signature without the account number would force the bank to compare your check against all of its signatures for all of its accounts, which would obviously be inefficient.

这篇关于在使用大多数 API 时，为什么它们需要两种类型的身份验证，即密钥和秘密?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！